Manufacturers Fail to Eliminate Vulnerabilities on Mobile Devices

Android smartphones are vulnerable to critical security flaws an average of approximately 88 percent of the time, a group of researchers finds.

The infrequent release of security updates for Android devices has left 88 percent of smartphones and tablets vulnerable to at least one of 11 critical security flaws over the last four years, according to research published earlier this month by computer scientists at the University of Cambridge.
Using data from 20,400 devices and 40 different software projects that make up the majority of the Android code base, the researchers found that an average of 87.7 percent of devices were classified as insecure between July 2011 and July 2015. As part of the research, the computer scientists created a method of scoring the security of mobile devices in a way that takes into account how diligent manufacturers are in patching the underlying operating system.
The analysis shows that manufacturers are not taking the required steps to help lock down customers'' devices, Daniel Thomas, a researcher in computer science at the University of Cambridge and a co-author of the report, told eWEEK in an email. The issues will become more significant as a variety of devices—not just smartphones—become interconnected as part of the Internet of things, he said.
"Both secure system designs and prompt security updates will be required to provide security in the Internet of things,"

The researchers focused on the Android ecosystem because there is readily available data on vulnerabilities and software updates, but iOS devices likely have the same problems, Thomas said.

"We could perform exactly the same analysis if we had the same kind of data," he said. "Since iOS is less transparent, we have not been able to obtain this data yet."
To perform the analysis on the Android ecosystem, the researchers collected vulnerability data from the AndroidVulnerabilities.org Website and historical data from the Device Analyzer project.
The researchers found that, even though the devices are typically used for at least two years after purchase, the manufacturers rarely update the core system software, with only 1.26 updates issued for each device, on average. The slow update cycle results in extended periods of vulnerability, they found.
The researchers proposed a benchmark to measure the overall security of devices and the support of their manufacturers. The benchmark, dubbed the FUM score, uses three metrics: the proportions of devices free from critical vulnerabilities and running the latest version of the Android operating system, and the mean number of vulnerabilities still unpatched by the manufacturer.
Although the most secure device, the Google Nexus, had a score of 5.17 out of a best of 10, popular manufacturers were far below that level, the researchers found. LG, the device maker with the highest security rating, only scored 3.97 out of 10, while HTC and Sony both scored a much lower 2.63.
The scoring system could give government procurers and consumers a way to discern which devices are the most secure, Thomas said.
"The best way to put pressure on manufacturers to provide updates is to only buy devices from manufacturers that promise to provide updates and which have a historical record of doing so," he said. "The FUM score is hard to game, and so if companies try to maximize their score, then they will also maximize the security of their users."